From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C20E8CD379F for ; Tue, 3 Sep 2024 16:46:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=BqvXA/3XZ5X8cHInUkHq4ej7Z/KzDFXPr58Ls+fV6i4=; b=e3x4Un3iviRI4+6aOSV5WjHcUe vZF3h41T/N5gct4upy3KfEXxiWovCNfs6+9AbSzUrgWIXGbmi0LXxHClPOLRYj7MEmNRR0cWyogNR NRjuhHPKaJJBsGYFu9I/j3HAmWKQidLAfaXAzuZ6ADjb2E53Lt7u58AOVxRP4sUgWotvcDNBZvMyC fb2GQJvzfImjvTa/yWaH/m52ij6D2SzTA7G0/Tawsl5tURcdzEJidLKVifUrhJHdWjB9Om+qXgn8s Yk4i2Kj/HYgsSTBwBGkg/BAbrfRTlGs66WWSz4UGsz46NdZ0d6pETpZnSMnVFHWoUyG3oF7wOZ8Z2 msjLHSYQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1slWfS-00000001BG3-06h2; Tue, 03 Sep 2024 16:46:10 +0000 Received: from mail-io1-xd32.google.com ([2607:f8b0:4864:20::d32]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1slWdF-00000001Agw-1gYn for linux-arm-kernel@lists.infradead.org; Tue, 03 Sep 2024 16:44:15 +0000 Received: by mail-io1-xd32.google.com with SMTP id ca18e2360f4ac-82a24deca03so187427339f.0 for ; Tue, 03 Sep 2024 09:43:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google; t=1725381832; x=1725986632; darn=lists.infradead.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=BqvXA/3XZ5X8cHInUkHq4ej7Z/KzDFXPr58Ls+fV6i4=; b=AfViC10PgqteQLmC8BViXh0zDwJwzms9pYQyMsViRUlgP6ovYMhKclvG0e5zMb+bSO xLtCEifM1Q9c0Zt790ks4hhzCYnnLj6vL15xoKcew8nCVEkf21Y6KnPgCGQ6h8EzjGUe G0sb47ZZD0yXnlklP6dlYor7xbYoVP4jKDtA82bJGWQnaFF8N48haqAYtpzQ9kCnF7JQ PZKLKKtCDQipWRFQW0Wfk1IiQV+6cRXT21oEwPo6B7/4OT5qYNvAi0I2Y59KbDa/f0VT JkRbFAN0f1iWNxiqFqeOQs4UsOLCyP8NwQCWxfrcrdctiCnOHsQZHj2/MZbJyc3Obfk9 hVVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725381832; x=1725986632; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BqvXA/3XZ5X8cHInUkHq4ej7Z/KzDFXPr58Ls+fV6i4=; b=QJYH3wdPV8xDFPy0NtJ7ZzOn0pMd+xM2z+rRrW8eCozEpNytHQ1n647mx0w4N2n5dN 81aCRlLi6+QwqU/TXUloAc0Cx9tBMhoMxbNsvLWdpG3i5UYrq5q4nVSSDcxdLG/EjR13 hweAVPtCMwLJoqQl7igwemMVI0MXf8Bb6dogGTBxdGprlmtQXschN7vwVx8PogBt3vlT XrKIyVZiqA1xj5qk25JqBo4YRxBofsvQ2C1JK71UbFOBbFaSPkchOz3A9ux0SRurYZ+q V51rWvFMziTws8DhLrP5ao/aB1crmuJ3becOJHNGM60G1NW9W9g7fiYk3DyinH6P6/5N TxTA== X-Forwarded-Encrypted: i=1; AJvYcCUZ5nUjP5RxpkGgA4sSyI3XbgsuKTOBvzyw8qpPVDohPd4R4bTkRw6AsTq8ryaN0I+k3SIDYtrWMqLSANjFnLU6@lists.infradead.org X-Gm-Message-State: AOJu0YxlL2MJGuJznUgld8d2boSyYGFLINxHyVb/JyDWPq1lFo3pls8M qFQ6Nl+FI/GQSnI0DOndTOD5nTc4hVEiudeQGoEPqZUIbwYeLmF6X4fkCKGrx5U= X-Google-Smtp-Source: AGHT+IGWs0ecj4oOIIuZ0aCG8Rb5IKSS80e/aUXkI0a4z3y9UTTKRgHACCHwKnH4Q+AQWhR4cx7fKA== X-Received: by 2002:a05:6602:15c6:b0:82a:2cd4:a788 with SMTP id ca18e2360f4ac-82a37560e77mr1271578739f.15.1725381832025; Tue, 03 Sep 2024 09:43:52 -0700 (PDT) Received: from [100.64.0.1] ([147.124.94.167]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4ced2de7825sm2781071173.63.2024.09.03.09.43.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 03 Sep 2024 09:43:50 -0700 (PDT) Message-ID: Date: Tue, 3 Sep 2024 11:43:48 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [arm?] upstream test error: KASAN: invalid-access Write in setup_arch To: Marc Zyngier , Alexander Potapenko Cc: Andrey Konovalov , Aleksandr Nogikh , kasan-dev , Will Deacon , syzbot , catalin.marinas@arm.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <000000000000f362e80620e27859@google.com> <20240830095254.GA7769@willie-the-truck> <86wmjwvatn.wl-maz@kernel.org> <86seugvi25.wl-maz@kernel.org> Content-Language: en-US From: Samuel Holland In-Reply-To: <86seugvi25.wl-maz@kernel.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240903_094353_541511_29C879DF X-CRM114-Status: GOOD ( 25.83 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 2024-09-03 11:05 AM, Marc Zyngier wrote: > On Tue, 03 Sep 2024 16:39:28 +0100, > Alexander Potapenko wrote: >> >> On Mon, Sep 2, 2024 at 12:03 PM 'Aleksandr Nogikh' via kasan-dev >> wrote: >>> >>> +kasan-dev >>> >>> On Sat, Aug 31, 2024 at 7:53 PM 'Marc Zyngier' via syzkaller-bugs >>> wrote: >>>> >>>> On Fri, 30 Aug 2024 10:52:54 +0100, >>>> Will Deacon wrote: >>>>> >>>>> On Fri, Aug 30, 2024 at 01:35:24AM -0700, syzbot wrote: >>>>>> Hello, >>>>>> >>>>>> syzbot found the following issue on: >>>>>> >>>>>> HEAD commit: 33faa93bc856 Merge branch kvmarm-master/next into kvmarm-m.. >>>>>> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git fuzzme >>>>> >>>>> +Marc, as this is his branch. >>>>> >>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1398420b980000 >>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=2b7b31c9aa1397ca >>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=908886656a02769af987 >>>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 >>>>>> userspace arch: arm64 >>>> >>>> As it turns out, this isn't specific to this branch. I can reproduce >>>> it with this config on a vanilla 6.10 as a KVM guest. Even worse, >>>> compiling with clang results in an unbootable kernel (without any >>>> output at all). >>>> >>>> Mind you, the binary is absolutely massive (130MB with gcc, 156MB with >>>> clang), and I wouldn't be surprised if we were hitting some kind of >>>> odd limit. >>>> >>>>>> >>>>>> Downloadable assets: >>>>>> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-33faa93b.raw.xz >>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/9093742fcee9/vmlinux-33faa93b.xz >>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/b1f599907931/Image-33faa93b.gz.xz >>>>>> >>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>>>>> Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com >>>>>> >>>>>> Booting Linux on physical CPU 0x0000000000 [0x000f0510] >>>>>> Linux version 6.11.0-rc5-syzkaller-g33faa93bc856 (syzkaller@syzkaller) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #0 SMP PREEMPT now >>>>>> random: crng init done >>>>>> Machine model: linux,dummy-virt >>>>>> efi: UEFI not found. >>>>>> NUMA: No NUMA configuration found >>>>>> NUMA: Faking a node at [mem 0x0000000040000000-0x00000000bfffffff] >>>>>> NUMA: NODE_DATA [mem 0xbfc1d340-0xbfc20fff] >>>>>> Zone ranges: >>>>>> DMA [mem 0x0000000040000000-0x00000000bfffffff] >>>>>> DMA32 empty >>>>>> Normal empty >>>>>> Device empty >>>>>> Movable zone start for each node >>>>>> Early memory node ranges >>>>>> node 0: [mem 0x0000000040000000-0x00000000bfffffff] >>>>>> Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff] >>>>>> cma: Reserved 32 MiB at 0x00000000bba00000 on node -1 >>>>>> psci: probing for conduit method from DT. >>>>>> psci: PSCIv1.1 detected in firmware. >>>>>> psci: Using standard PSCI v0.2 function IDs >>>>>> psci: Trusted OS migration not required >>>>>> psci: SMC Calling Convention v1.0 >>>>>> ================================================================== >>>>>> BUG: KASAN: invalid-access in smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline] >>>>>> BUG: KASAN: invalid-access in setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356 >>>>>> Write of size 4 at addr 03ff800086867e00 by task swapper/0 >>>>>> Pointer tag: [03], memory tag: [fe] >>>>>> >>>>>> CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.11.0-rc5-syzkaller-g33faa93bc856 #0 >>>>>> Hardware name: linux,dummy-virt (DT) >>>>>> Call trace: >>>>>> dump_backtrace+0x204/0x3b8 arch/arm64/kernel/stacktrace.c:317 >>>>>> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 >>>>>> __dump_stack lib/dump_stack.c:93 [inline] >>>>>> dump_stack_lvl+0x260/0x3b4 lib/dump_stack.c:119 >>>>>> print_address_description mm/kasan/report.c:377 [inline] >>>>>> print_report+0x118/0x5ac mm/kasan/report.c:488 >>>>>> kasan_report+0xc8/0x108 mm/kasan/report.c:601 >>>>>> kasan_check_range+0x94/0xb8 mm/kasan/sw_tags.c:84 >>>>>> __hwasan_store4_noabort+0x20/0x2c mm/kasan/sw_tags.c:149 >>>>>> smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline] >>>>>> setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356 >>>>>> start_kernel+0xe0/0xff0 init/main.c:926 >>>>>> __primary_switched+0x84/0x8c arch/arm64/kernel/head.S:243 >>>>>> >>>>>> The buggy address belongs to stack of task swapper/0 >>>>>> >>>>>> Memory state around the buggy address: >>>>>> ffff800086867c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>>>>> ffff800086867d00: 00 fe fe 00 00 00 fe fe fe fe fe fe fe fe fe fe >>>>>>> ffff800086867e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >>>>>> ^ >>>>>> ffff800086867f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >>>>>> ffff800086868000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >>>>>> ================================================================== >>>>> >>>>> I can't spot the issue here. We have a couple of fixed-length >>>>> (4 element) arrays on the stack and they're indexed by a simple loop >>>>> counter that runs from 0-3. >>>> >>>> Having trimmed the config to the extreme, I can only trigger the >>>> warning with CONFIG_KASAN_SW_TAGS (CONFIG_KASAN_GENERIC does not >>>> scream). Same thing if I use gcc 14.2.0. >>>> >>>> However, compiling with clang 14 (Debian clang version 14.0.6) does >>>> *not* result in a screaming kernel, even with KASAN_SW_TAGS. >>>> >>>> So I can see two possibilities here: >>>> >>>> - either gcc is incompatible with KASAN_SW_TAGS and the generic >>>> version is the only one that works >>>> >>>> - or we have a compiler bug on our hands. >>>> >>>> Frankly, I can't believe the later, as the code is so daft that I >>>> can't imagine gcc getting it *that* wrong. >>>> >>>> Who knows enough about KASAN to dig into this? >> >> This looks related to Samuel's "arm64: Fix KASAN random tag seed >> initialization" patch that landed in August. > > f75c235565f9 arm64: Fix KASAN random tag seed initialization > > $ git describe --contains f75c235565f9 --match=v\* > v6.11-rc4~15^2 > > So while this is in -rc4, -rc6 still has the same issue (with GCC -- > clang is OK). I wouldn't expect it to be related to my patch. smp_build_mpidr_hash() gets called before kasan_init_sw_tags() both before and after applying my patch. Since the variable in question is a stack variable, the random tag is generated by GCC, not the kernel function. Since smp_build_mpidr_hash() is inlined into setup_arch(), which also calls kasan_init(), maybe the issue is that GCC tries to allocate the local variable and write the tag to shadow memory before kasan_init() actually sets up the shadow memory? Regards, Samuel >> I am a bit surprised the bug is reported before the >> "KernelAddressSanitizer initialized" banner is printed - I thought we >> shouldn't be reporting anything until the tool is fully initialized. > > Specially if this can report false positives... > > Thanks, > > M. >